Email Policy & Best Practice Guidance...Version: v03.1 Supersedes: V03.0 Status: Final Author: Head...

Version: v03.1 Supersedes: V03.0 Status: Final Author: Head of IG & DPO Date Approved: 09/10/2018 Approved by: IG Operational Delivery Group Review Date: 09/10/2020

Document uncontrolled when printed

Email Policy & Best Practice Guidance


Version: 03.0 Date Approved: 02/05/2018 Status: Final Page: 2 of 22


Document Control Sheet

Title: Email Policy & Best Practice Guidance Document Status: Final Document Type: Policy / Guidance Version Number: v03.1 Document location: http://athena/kmeh/kmeh/igs/Documents/Document%20Centre.aspx Author: Head of Information Governance & Data Protection Officer Owner: Head of Information Governance & Data Protection Officer Approved By: Information Governance Operational Delivery Group Date Effective From: 09/10/2018 Review Frequency: Two years Next Review Date: 09/10/2020 Revision History: Version: Date: Summary of Changes: Responsible Officer: V 02.0 18/08/2016 Change of document title – previously titled

“Email Management Policy & Best Practice Guidance”. Full revision of content. Document now encompasses “Clinical Email Guidelines”, “Tips for Cleaning up your mailbox (Appendix 2)”, Information on email security and the mailbox management tool ‘Mailsafe’.

Information Governance Information Governance

V 02.1 25/11/2016 6.2 Specific Obligations – Additional wording regarding auto-forwarding of emails. 6.4 Emails Containing Clinical Content - The sentence “Avoid using patient identifiable information in the subject line, including CHI number” has been removed.

Information Governance Information Governance

V03.0 02/05/2018 Updated to reflect changes to Data Protection Legislation

Head of IG & DPO

V03.1 09/10/2018 6.5 Secure Email The sentence “The subject line of emails should not contain patient identifiable data” has been removed. The sentence beginning “When emailing “Red” information to trusted partners...” has been amended, it now reads “When emailing “Red” information to trusted external partners...”

Information Governance

Approvals: this document was formally approved by: Name & Title / Group: Date: Version: Unknown Unknown V 01.0 Information Governance Operational Delivery Group 18/08/2016 V 02.0 Information Governance Operational Delivery Group 02/05/2018 V 03.0

http://athena/kmeh/kmeh/igs/Documents/Document%20Centre.aspx




Dissemination Arrangements: Intended audience: Method: Date: Version: All staff AthenA Oct - 2016 V02.0 All staff Daily Digest Oct - 2016 V02.0 All staff MetaCompliance Nov - 2016 V02.1 All staff AthenA May - 2018 V03.0 All staff AthenA Oct – 2018 V03.1 Linked Documentation: Document Title: Document File Path: Corporate Records Management Policy


Appropriate Use of IT Facilities Policy


Management of Employee Conduct Policy

http://athena/ohrd/HRSERV/Contracts%20%20Policies/Policies/Conduct.pdf

Secure Storage, Communication and Transportation of Personal Information Policy


Health Records Management Policy

http://athena/cgrmrd/ClinGov/DraftGuidance/G087%20Health%20Records%20Management%20Policy.pdf

Reporting and Managing an Information Security Breach


Caldicott Principles http://athena/kmeh/kmeh/igs/Pages/WhatisCaldicott.aspx General Data Protection Regulation

https://www.eugdpr.org/

Freedom of Information (Scotland) Act 2002

http://www.legislation.gov.uk/asp/2002/13/contents

CEL 31 (2010) Scottish Government Records Management: Code of Practice (Scotland) Version 2.1 January 2012

http://www.gov.scot/Resource/Doc/366562/0124804.pdf

DL (2015) 17 Information Governance & Security Improvement Measures

http://www.sehd.scot.nhs.uk/dl/DL(2015)17.pdf

Protecting Patient Confidentiality: NHSScotland Code of Practice

http://athena/kmeh/kmeh/igs/Documents/CodePrac.aspx

Scottish Government (2014) Using Email in NHSScotland: A Good

http://athena/kmeh/kmeh/igs/Documents/Email%20Good%20Practi













http://athena/kmeh/kmeh/igs/Pages/WhatisCaldicott.aspx

https://www.eugdpr.org/

http://www.legislation.gov.uk/asp/2002/13/contents

http://www.gov.scot/Resource/Doc/366562/0124804.pdf

http://www.sehd.scot.nhs.uk/dl/DL(2015)17.pdf

http://athena/kmeh/kmeh/igs/Documents/CodePrac.aspx

http://athena/kmeh/kmeh/igs/Documents/Email%20Good%20Practice%20Guide%20August%202014.pdf




Practice Guide ce%20Guide%20August%202014.pdf

Information Commissioners’ Office Employment Practices Code

http://athena/kmeh/kmeh/igs/Documents/EmpPraCode.aspx

NB. This document is uncontrolled when printed. The contents of this document are subject to change, any paper copy is only valid on the day of printing. To ensure you have the most up to date version of this document please use the link to access the document directly from AthenA or contact the Author.

http://athena/kmeh/kmeh/igs/Documents/EmpPraCode.aspx




Contents Click on the headings below to link to the relevant section. 1.0 Introduction ............................................................................................................... 6

2.0 Purpose ..................................................................................................................... 6

3.0 Scope ......................................................................................................................... 6

4.0 Definition of Terms ................................................................................................... 6

5.0 Roles & Responsibilities .......................................................................................... 6

6.0 Email Policy .............................................................................................................. 8

7.0 Email Best Practice Guidance ................................................................................13

8.0 Related Documents .................................................................................................17

9.0 Appendices ..............................................................................................................18




1.0 Introduction Members of staff are provided, where appropriate, with access to email for business purposes to support them in undertaking their role and fulfilling their duties and responsibilities. Staff should be aware that any documents they create are viewed as the property of NHS Ayrshire & Arran and may constitute a corporate record; this includes email and any attachments. The use of email has superseded in many cases the use of paper based systems and so may document; decisions, policies and business activities. Emails have therefore become essential records of those transactions. Given this transition, email records have now become legally admissible documents and certain emails require to be managed like any other record. 2.0 Purpose The purpose of this policy is to provide clear guidance to email users so that they may comply with the various related legislation, regulation and standards that apply. This policy informs email users of what types of information can be shared via email with NHS colleagues, business partners and patients. This policy sets out the responsibilities associated with the management of emails and their attachments as records. 3.0 Scope This policy covers all internal and external emails sent and received by email users in NHS Ayrshire & Arran. The policy is applicable to all staff that have access to the NHS Ayrshire & Arran email system. This policy focuses on:

• The responsibilities of email users • The responsibilities of NHS Ayrshire & Arran

This policy includes a section on Email Best Practice Guidance. 4.0 Definition of Terms A glossary has been included in Appendix 1 of the document, providing definitions of terms used in this policy. 5.0 Roles & Responsibilities 5.1 Responsibilities of Email Users

All email users must abide by this policy.




Individual members of staff have the same responsibilities for managing email records as they do when managing any other format of NHS Ayrshire & Arran’s records. It is the responsibility of the Departmental Managers and Directors to define and implement procedures to ensure that relevant emails and attachments are saved so that they can be retrieved if necessary, at a future date, for example, on a shared electronic folder or drive. All staff must, when requested, undertake the appropriate searches and submit all information requested to the staff member processing the information request e.g. subject access request, freedom of information request etc, within the defined timescale.

Every user is responsible, in the course of their activities, for:

• Identifying and capturing emails and their attachments which are appropriate

for retention as electronic records, because of their business function or content.

• Saving email records to the appropriate system, e.g. a shared electronic folder or drive.

• Managing email and email records in a manner that ensures their integrity, guards against their inappropriate loss or destruction, and cooperating where necessary with an audit trail mechanism.

• Accessing and retrieving relevant emails when requested. • Regular deletion of emails that are no longer required.

5.2 Responsibilities of NHS Ayrshire & Arran NHS Ayrshire & Arran will ensure that any electronic systems provided to manage records, including the archiving of email records, will preserve emails securely as retrievable functioning documents and safeguard them from alteration or inappropriate handling. In particular, the systems will ensure that:

• The email record is present and the information and procedures needed to reconstruct the email record and the transactions that have taken place are recorded.

• The email record can be accessed, located and retrieved in a form that is true to the original presentation.

• The email record can be interpreted by showing where and when it was created and by whom, how it was used and how it relates to other information.

• The email record can be trusted and its representation exactly matches that which was actually created and used, and its integrity and authenticity can be demonstrated beyond all reasonable doubt.

• The email record can be preserved for as long as necessary and migrated to other systems and technologies.

• The timely and complete destruction of email records deposited in the archive in accordance with metadata applied by individuals.




• Systems and procedures must be actively managed and monitored for their correct use by managers to ensure that email and email records are correctly disposed of or retained by staff.

• NHS Ayrshire & Arran will provide guidance, and support for staff to help them comply with this policy and manage emails from creation to disposal.

6.0 Email Policy 6.1 Authorisation of Access Access to NHS Ayrshire & Arran IT facilities including email will only be granted on receipt of an appropriately completed and authorised System Access Request Form.

All users must use their own unique username and password to access NHS Ayrshire & Arran IT facilities, including email. Gaining access by using another employee’s username and password constitutes a breach of NHS Ayrshire & Arran policy.

Sharing passwords or allowing another member of staff to use your PC or access a system while you are logged on constitutes a breach of NHS Ayrshire & Arran policy. 6.2 Specific Obligations All users must ensure that they familiarise themselves with and comply with the related policy, guidance and legislation listed in Section 8 to ensure that individuals rights to confidentiality are respected and the integrity of information systems and IT facilities is maintained at all times.

Users must not knowingly:

• Send any emails/materials/files of a defamatory, illegal, hateful, sexually explicit, obscene, pornographic or otherwise objectionable nature.

• Send communications that knowingly cause distress or offence to another user, or that is intended to annoy, harass or intimidate another person.

• Attempt to introduce viruses. The transmission or propagation of any virus, worm or malicious code is expressly forbidden.

• Waste resources by sending or inviting large amounts of unnecessary email including chain mail, jokes or any other frivolous email.

• Use the email system for excessive personal use – see Section 6.3. • Use the email system for personal gain, for example, running a business from

work or selling personal items. • Register their NHS email address for non work related

communication/websites. • Send work related email from personal, non work related email accounts.

Work related email must only be sent from official NHSScotland email accounts i.e. @aapct.scot.nhs.uk, @aaaht.scot.nhs.uk or @nhs.net.

Emails sent outwith NHS Ayrshire & Arran MUST include the following statement:




“The information contained in this email is confidential and is intended only for the named recipient(s). If you are not the intended recipient you must not copy, distribute or take any action on or place any reliance on. If you have received this email in error, please notify the sender. Any unauthorised disclosure of the information contained in the email is strictly prohibited.”

Staff should be aware that all emails generated within the NHS Ayrshire & Arran system are viewed as property of NHS Ayrshire & Arran and may be legitimately requested under the Freedom of Information (Scotland) Act 2002 and Data Protection Law.

All emails entering the organisation or originating from the organisation are automatically filtered to ensure that the email system is being used appropriately.

Emails may be blocked if they are viewed as a risk to information systems. Emails containing the following content are automatically blocked by the email system as they present an increased risk to the Information Systems within NHS Ayrshire & Arran (please note; this list is not exhaustive):

• Files

o .exe files o Spam attachments

• Keywords which fall within the following categories: o Offensive language o Spam o Chainmail

• Subject lines as appropriate • From senders as appropriate • Virus or malware infected

IT Security continually reviews and amends the categories of content blocked within emails to ensure the integrity and security of the system. Emails which include blocked content will be reviewed by the IT Security Team to ensure that the email has been appropriately blocked. IT Security will also highlight possible defamatory material.

An incident report will be raised when individuals have been identified as sending emails containing the content from the above categories. This will initially be brought to the attention of an HR Manager who will contact the employee’s line manager thereafter and if required managed in accordance with the procedures detailed in NHS Ayrshire & Arran’s Reporting and Managing an Information Security Breach Procedure.

All emails generated within the NHS Ayrshire & Arran system are viewed as the property of NHS Ayrshire & Arran and may constitute a corporate record. Certain emails can also potentially be legally binding documents. Staff have the responsibility to read and where appropriate, action all emails that they receive. If your emails are not monitored whilst you are on leave you must ensure that on your return, all emails received in your absence are read and actioned. Staff must not set




out of office messages that advise emails received whilst on leave will not be read and will be deleted. Doing so would constitute a breach of this policy. It is best practice to put an appropriate “out of office” message onto your email account which advises the period of absence and a suitable alternative contact. Staff must not auto-forward email to non NHS Ayrshire & Arran email accounts other than those ending in @nhs.net. Doing so would constitute a breach of NHS Ayrshire & Arran policy. IT Security carry out regular audits to monitor the use of auto-forwarding. 6.3 Personal Use Staff are permitted to use the email system for non work related matters where it does not intrude with the users work, colleagues, patients or the environment; does not appear to have been sent on behalf of the organisation; does not bring NHS Ayrshire & Arran into disrepute; and does not contravene this policy, any of the policy guidance and legislation detailed in Section 8 or the NHS Ayrshire & Arran Appropriate Use of IT Facilities Policy.

Non work related activity must be limited to non working time. Personal use of the email system during work time is not appropriate, and any such misuse may be considered a disciplinary matter.

Users must be aware that personal emails generated within the NHS Ayrshire & Arran system are viewed as property of NHS Ayrshire & Arran and may constitute a corporate record and may be legitimately requested under the Freedom of Information (Scotland) Act 2002 and Data Protection Law. Users must be aware that personal use of the email system could result in a tax liability for the individual member of staff.

Users must not store personal files (not business related, such as photographs, music or documents) within the email system. 6.4 Emails Containing Clinical Content Clinical email is defined as email with clinical content, often including patient identifiable information, sent between clinical sites. Always consider anonymisation of personal identifiable information where possible. Information is said to be anonymised when identifiers; such as name, address, full postcode and any other detail that might identify an individual are removed. Use the 10 digit CHI number, Surname and Forename to ensure positive identification of the patient. In the absence of CHI, staff should use Surname, Forename and D.O.B. Review your processes regularly to justify the need to store or transfer patient identifiable information in any format.




6.4.1 Departmental Clinical Email Accounts

Departmental Clinical Email accounts allow the sending and receiving of clinical email within a department where a number of staff need to access to the information. This method should be used for sending and receiving patient identifiable information such as:

• Referral letters • Discharge letters • Clinical letters

Using Departmental Clinical Email accounts is the preferred method for the communication of clinical email, this reduces the risk of:

• breaches in confidentiality that can occur when email is incorrectly addressed to staff with similar surnames and

• clinical email containing important, time sensitive clinical information not being opened and dealt with within an appropriate time scale.

Departments using Clinical Email accounts are required to set up internal processes guaranteeing that emails will be opened regularly. Departmental Clinical email addresses appear on the Ayrshire & Arran Global Address List pre-fixed with the word Clinical. Access to Departmental Clinical Email must be reviewed on a regular basis, to ensure that only staff that need to access that correspondence are granted access to the Departmental Clinical Email account. Passwords for access to email accounts must not be shared. Staff can be given appropriate access to Clinical Email via the formal delegation process by contacting the eHealth Helpdesk. To set up a Departmental Clinical Email Account you should complete the Clinical Email Request Form. 6.5 Secure Email Staff must comply with the guidance Using Email in NHSScotland: A Good Practice Guide which shows what types of information can be exchanged via email with NHS Colleagues, business partners and patients given the current technical constraints and level of risk. When sending confidential information by email staff must observe the Email Matrix and Guidance to determine what from and to email addresses can be safely used for this purpose. The matrix also gives guidance on determining the category (Green, Amber or Red) of the data in order to select and cross reference the appropriate email account exchange. A tick indicates that email sent between these networks is approved; a cross indicates that it is not approved.

When emailing “Red” information to trusted external partners, staff must manually enter the term “OFFICIAL – SENSITIVE PERSONAL” in the subject line of the email.

http://athena/kmeh/eHealth/Pages/eHDocCentre.aspx

http://athena/kmeh/eHealth/Pages/eHDocCentre.aspx



http://athena/kmeh/kmeh/igs/Pages/Secure%20email.aspx

http://athena/kmeh/kmeh/igs/Pages/Secure%20email.aspx




Always take precautions to ensure that the email message is not transmitted to the wrong person. If this happens it may result in a breach of confidentiality and this may lead to the individual sending the email being subject to disciplinary proceedings.

When sending clinical email, either select “Reply to Sender” or select the correct email address from the global address list.

If using NHS net, the recipient’s details can be checked by clicking on the email address within the browse section of the NHS net directory. This will provide more information regarding the recipient e.g. full name, organisation, job title, address and telephone number.

Always be satisfied that you have the correct email address, if you are unsure; verify the correct email address with your intended recipient, either by phone or by sending a test email.

Email distribution/circulation lists should be used with caution. It is essential that distribution/circulation lists are updated when staff leave or move post. Prior to sending to a distribution/circulation list, staff must ensure that all individuals on the list have a legitimate need to receive the information contained in the email. 6.5.1 Emailing Patients Email is one of several important communications channels with patients and the wider public; however the NHS does not yet have services in place that can deal with high volumes of email securely. All staff must therefore abide by the following steps when emailing patients:

• There must be prior consent that the patient is prepared to accept certain types of communication via email.

• In cases where there is incapacity a guardian with powers of attorney can make the decision.

• Patients must understand that security of emails from the NHS cannot be guaranteed once they enter the Internet.

• Highly sensitive (RED) information should never be shared via email to patients.

• Case notes or clinical parts of the formal patient record should not be emailed to patients.

• Ensure that information to be shared with patients does not contain third party information.

Observe NHS Ayrshire & Arran’s Emailing Patient Guidelines 6.6 Malicious Email

http://athena/kmeh/kmeh/igs/Pages/emailpatguide.aspx




Although email is a convenient and powerful communications tool it also provides scammers and other malicious individuals an easy means for luring potential victims.

IT Security have controls in place to block malicious emails, however there are occasions when certain emails are difficult to block as the initiators of these emails change frequently and the attachments may have a unique name. To assist the controls already in place, you should never click a link or open an attachment in an email you aren't expecting especially if you don't recognise the sender, but even if you do know who sent it.

To help combat malicious emails, please follow these recommendations:

• If you do not know the sender of an unsolicited email message, DO NOT OPEN IT. YOU MUST DELETE IT from your Inbox and deleted items folder. While most spam emails are usually just annoying text, these particular emails contain a malicious payload and/or other exploit that could steal information.

• Never respond to any spam messages, open attachments within it, or click on any links in the message. Avoid clicking on links or opening attachments in emails from an unexpected, unusual or unknown sender.

Malicious emails may:

• contain a .doc, .xls, .rtf or .xml attachment • advise that the receipt or remittance advice can be found in the attached

document • Have a random name as the sender which will likely not match the email

address.

If you receive a suspect email, please contact the eHealth Service Desk on 01292 513355 for further guidance. 7.0 Email Best Practice Guidance 7.1 Reducing Unnecessary Email Usage Whilst email is a very effective means of communication, its ease of use is also its downfall with the number of unnecessary emails increasing dramatically. The following guidelines will help reduce some of the internal email traffic in NHS Ayrshire & Arran:

• Do not use email when a meeting would be more effective • Avoid internal “email conversations” • Avoid trivial responses – it is not always necessary to respond • Before sending email...ask these questions:

o Is the message really necessary? o Would a telephone conversation or meeting be quicker?




o Is the message clear and to the point? o Are the recipients those who need to know? o Is the message in avoidance of a “face-to-face” meeting?

7.2 Use of Email The ‘To...’ field should include people who need to action or respond to the email.

The ‘Cc...’ field should be used if the email is for information only and no action is required. Where you require to send an email to a distribution list and do not wish to disclose the other recipients email address, as this may constitute a breach of their confidentiality, the ‘Bcc...’ field should be used. Placing recipients in the ‘Bcc...’ field also removes the ability of the recipients to ‘Reply to All’.

The ‘Subject:’ line should be specific, concise and to the point, clearly outlining the topic, this will make the email more retrievable when conducting a search within Outlook.

To make it clear to the recipient what they are expected to do with the email, start it with ‘ACTION’, ‘FOR INFORMATION’, or ‘RESPONSE REQUIRED’

The ‘Reply to all’ button should only be used when absolutely necessary. Signatures should contain essential information:

• Name • Designation • Address • Phone Number • Email address

Avoid images as these add to the file size. All text should be in Arial, 12pt, black font.

Use short paragraphs and blank lines between each paragraph. Use bullet points where appropriate. Avoid using coloured or patterned ‘stationery’ as it may not present well on other people’s devices.

When replying to an email, the original mail should be included in the reply. Confidential information must be removed if it does not need to be shared.

Delivery/read receipts are often overused and can clutter up inboxes. Delivery/read receipts should only be used where there is a specific need to confirm that the email




has been delivered to the recipient/opened by the recipient. Users should consider the effectiveness of applying these; it may be more effective to phone the recipient.

Users should avoid using the words ‘URGENT’ and ‘IMPORTANT’ in emails. If the information is urgent or important, users should consider if email is the best way to communicate. Users should set out of office messages if they are going to be away from email on a working day. These should be in a standard format for the team/department and should as a minimum include a contact person for the period of absence and the date that the user will be returning. It is good practice to allow at least one other person read only, delegate, access to your mailbox and calendar in order that they can monitor it for urgent or serious mails whilst you are on holiday or off sick. If delegate access to a mailbox has not been pre-arranged and is required when a staff member is on leave approval must be sought from the appropriate director. Delegate access to email should only be provided to colleagues with the authority to view the information contained in your mailbox as part of their role. Staff must actively manage delegate access to their email to ensure that only staff with the authority to view the information contained in their mailbox have access. 7.3 Storage and Retention Email should not be used for official record keeping purposes. Any email correspondence should not be kept for longer than necessary.

7.3.1 What Email Records need to be retained?

Decisions on which records to retain and for how long are dictated by legislation, internal regulations and their value to NHS Ayrshire & Arran. As with any record, the value of an individual email must be determined on its informational content and not on its format. NHS Ayrshire & Arran has in place retention schedules which dictate the periods for which records must be retained and later destroyed. These retention schedules are part of the Corporate Records Retention and Disposal Policy.

7.3.2 Transitory Emails

Not all emails need to be stored. Many emails are only of temporary use and are therefore considered transitory records. A transitory email is typically one that is only needed for a short period of time and not required to document NHS Ayrshire & Arran business. Examples of this type of email would be “is this morning’s meeting still on?” Since they will not become part of a final record of decision, and do not fulfil any administrative or operational functions, they do not need to be filed and should be deleted when no longer needed. 7.3.4 Storage and Retention Guidelines for Emails




For information on the categories of emails that must be retained refer to the Corporate Records Retention and Disposal Policy.

The following categories of emails should be deleted as soon as they are no longer required:

• Any other routine messages of a clearly transitory nature • Personal material • Trivial work-related material, e.g. routine housekeeping information such as

the time and place for meetings, administrative details.

The following categories of emails must be saved to the appropriate folders or shared drive:

• Consultation-type email correspondence between staff working jointly on a project.

7.3.5 Emails Containing Clinical Information Relating to Named Patients In instances where it is necessary to use email as a means to communicate clinical information relating to the management of a named patient’s care, the clinician has a responsibility to ensure that the content of the email is stored within the patients personal health record, by either printing and filing the email within the paper based casenote or saving the email to SCI Store so it can be viewed through Clinical Portal. In instances where the purpose of the email is other than the delivery of direct patient care the email does not need to be printed and filed in the casenote or saved to SCI Store. 7.3.6 Managing Outlook Folders Inbox and Sent Items Emails and their attachments that need to be retained as official records must be saved in accordance with departmental procedures within an electronic folder or shared drive. It is not good practice to use the email system to store important correspondence and attachments which may be deemed corporate records.

It is very easy to forget to manage your sent items but as these represent your communication with other staff and external bodies in the course of business transactions, they are governed by the same records management rules as any other format.

Staff must therefore appraise and appropriately store or delete sent emails immediately after sending the email while its purpose and context is still clear. Deleted Items




Ensure that your ‘Deleted Email Files’ folder is emptied once a week. This can be set as an automated task within Outlook. Email Attachments Documents attached to emails should be filed together with the corresponding email, where appropriate, since the email often provides comments or routing and approval information. Avoidance of Saving Duplicate Email Records Emails are rarely “one-off” records but come in related groups, documenting a course of action, request for information, group discussion etc. Duplication of some emails may therefore be unavoidable. 7.3.7 Mailsafe Mailsafe is a mailbox management tool that improves the efficiency and performance of the email system by automatically transferring all emails older than six months into a secure and encrypted central archiving data store. Mailsafe integrates with Microsoft Outlook and retains only one copy of an email, permitting access to everyone on the original distribution list. Staff should be aware that although they may have deleted an email, if the sender or any other recipients do not delete it, it will be archived in Mailsafe and will be visible by all on the original distribution list. All communications held by NHS Ayrshire & Arran may be subject to Freedom of Information Requests or Subject Access Requests under Data Protection Law. More information on Mailsafe can be found on AthenA. 7.4 Email Etiquette 7.4.1 Tone Tone and emotional content can be hard to interpret when written down, and are often misunderstood.

Always maintain a polite and professional tone.

Do not use slang, abbreviations such as ‘LOL’ or emojis.

Do not write in capitals, as this is perceived as SHOUTING.

Remember ALL emails generated within the NHS Ayrshire & Arran system can be requested under the FOI(S)A or Data Protection Law.

7.4.2 Spelling, Grammar and Punctuation. Emails are viewed as property of NHS Ayrshire & Arran and may constitute a corporate record; ensure correct spelling, grammar and punctuation.

8.0 Related Documents

http://athena/kmeh/ehealth/mailsafe/Pages/default.aspx




This policy should be read in conjunction with the following policy documents: 8.1 Local

• Corporate Records Management Policy • Appropriate Use of IT Facilities Policy • Management of Employee Conduct Policy • Secure Storage, Communication and Transportation of Personal Information

Policy • Personal Health Records Management Policy • Reporting and Managing an Information Security Breach

8.2 National

• Caldicott Principles • Data Protection Law • Freedom of Information (Scotland) Act 2002 • CEL 31 (2010) Scottish Government Records Management: Code of Practice

(Scotland) Version 2.1 January 2012 • DL (2015) 17 Information Governance & Security Improvement Measures • Protecting Patient Confidentiality: NHSScotland Code of Practice • Scottish Government (2014) Using Email in NHSScotland: A Good Practice

Guide • Information Commissioners’ Office Employment Practices Code

9.0 Appendices Appendix 1 - Definition of Terms Appendix 2 - Tips for Cleaning Up Your Mailbox




Appendix 1: Definition of Terms

TERM DEFINITION

Accessing The right, opportunity, [or] means of finding, using, or retrieving information.

Appraisal The process of evaluating business activities to determine which records need to be captured and how long the records need to be kept, to meet business needs, the requirements of organisational accountability and community expectations.

Capturing A deliberate action which results in the indexing of a record into a record keeping system. For certain business activities, this action may be designed into electronic systems so that the capture of records is concurrent with the creation of records.

Disposal The manual or machine searching of a database to retrieve specific data or records to satisfy requests for information from the database.

Electronic Records Records communicated and maintained by means of electronic equipment.

Legally admissible Legal admissibility concerns whether or not a piece of evidence [for the purpose of this Policy, an Electronic Record] would be accepted by a court of law.

Metadata Metadata describes how and when and by whom a particular record was created, and how the record is formatted. Metadata is essential for a number of records management processes including records retrieval, disposal and auditing.

Retention Schedules A document that identifies the length of time records must be retained in active/current and inactive/non current storage before its final disposal to permanent storage, archival preservation, or destruction. The schedule also indicates confidentiality, privacy, and vital records for business continuity.

Retrieving The manual or machine searching of a database to retrieve specific data or records to satisfy requests for information from the database.

Storage The systematic assembling of documents in containers or depositories for possible future use.

Transitory Records required only for a limited time to ensure the completion of a routine action or the preparation of a subsequent record. Transitory records are not required to control, support or document the delivery of projects, to carry out operations, to make decisions or to account for activities of the organisation.




Appendix 2: Tips for Cleaning Up Your Mailbox Good mailbox management requires constant supervision of your folder sizes. This short guide identifies the areas the most commonly require attention and in four steps will help you to reduce your mailbox size. Step 1: Find out how big your mailbox is Before you start to clean up your inbox it is a good idea to find out how big it is – as a guide anything over 1500000KB on the server data tab needs your attention! To do this from Outlook:

• Click tools menu

• Select

• On the server data tab you will have a total size including subfolders ending in the value KB

Step 2: Empty your deleted items folder It is easy to forget that a deleted email is sent to the deleted items folder which can easily become very large. To delete everything in this folder right click the folder and choose “Empty deleted items folder “

If you want to empty your deleted items folder every time you log off From the tools menu – options – other tab




Step 3: Find Large Messages In many cases you will find a small number of messages will account for a large percentage of your mailbox size because attachments have been left with the message rather than saved to a personal document location.

• From the file menu

• Choose the option “Large Mail “

• Choose a limit of 5120 KB for your first search




Now you have found the large items you have four choices:

1. You don’t need the message or the attachment - delete

2. You need the message but not the attachment – open the email right click the attachment and remove it

3. You need the attachment but not the message – open the email and save the attachment , delete the email

4. You still need the attachment and the message you can leave it as it is.

Step 4: Old Items There are items that you need to keep forever, and others that you want to keep forever, but some items are just there because you have forgotten about them! Follow the steps for finding large mail (as above) choosing the option “Old Mail “. You can choose the period you wish to search however we recommend that you start your clean up with mail that is more than two years old.

Email Policy & Best Practice Guidance...Version: v03.1 Supersedes: V03.0 Status: Final Author: Head...

Documents

Transcript of Email Policy & Best Practice Guidance...Version: v03.1 Supersedes: V03.0 Status: Final Author: Head...